Press ESC to close

EAGERBEE, with updated and novel components, targets the Middle East

CategoryDetails
Threat ActorsCoughingDown threat group (potential attribution)
Campaign OverviewDeployment of the EAGERBEE backdoor at ISPs and governmental entities in the Middle East.
New service injector and plugins uncovered.
Target RegionsMiddle East
MethodologyDLL hijacking vulnerability exploited.
Use of backdoor injector (“tsvipsrv.dll”) and payload file (“ntusers0.dat”).
Timestamp manipulation and setting file attributes as hidden and system files.
Commands executed for lateral movement using stolen credentials.
Products TargetedMicrosoft Windows environments, including Active Directory Domain Services (AD DS)
Malware ReferenceEAGERBEE backdoor
Service injector targeting Themes service
Plugin Orchestrator and associated plugins
Tools UsedPowerShell
attrib.exe
rar.exe
Vulnerabilities ExploitedDLL hijacking vulnerability
TTPs• Timestamp manipulation of malicious files.
• Use of mutex for execution.
• Collection of system and network details.
• Connection through proxies to C2 servers.
• Injection of plugins into memory.
• Use of remote shell and persistence techniques.
• Reflective DLL injection.
AttributionPotential connection to CoughingDown threat group
Recommendations• Restrict execution of untrusted DLLs.
• Monitor for suspicious process creations and unusual network connections.
• Implement robust privilege management.
• Apply patches to mitigate DLL hijacking vulnerabilities.
• Use endpoint detection and response (EDR) tools to monitor for backdoor activity.
• Enforce strict file access and attribute modification policies.
SourceSecurelist by Kaspersky

Read full article: https://securelist.com/eagerbee-backdoor/115175/

The above summary has been generated by an AI language model

Stay Updated with Our Newsletter

  

Source: Securelist by Kaspersky

Published on: January 12, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *